Snort mailing list archives
Re: snort and packet sniffing
From: Dean Price <dprice153 () charter net>
Date: Thu, 19 Aug 2004 11:35:58 -0400
I know of ethereal, tcpdump, and of course snort... Another question for anyone on the list, I was informed that snort will also show me the contents of an email message ( in source format ). This is why I decided to persue snort over the other options out there. On Thursday 19 August 2004 10:28 am, Matt Kettler wrote:
At 09:29 PM 8/18/2004, Stef wrote:The one reason I could think of would be formatiing and output values of one, compared to the other, perhaps?!?!Possibly.. I mostly wanted to inspire the poster to consider other tools, ones which he/she may even already have installed or available as a package on their distro CD before downloading and installing snort. As an aside, it would be interesting to see which performs better under load.. I suspect that tcpdump will perform better, since use of text output in snort is discouraged and probably not a heavy focus of developer tweaking/tuning. (note: you'd have to use -n to tcpdump, since tcpdump does RDNS and /etc/services lookups by default, and snort doesn't support them at all. The RDNS could slow tcpdump down considerably)See nicer and more complete description of fields, in snort's case ..Ahh, yes, snort's type:0x800 is much clearer than tcpdump's ethertype:IPv4. I suppose it's a matter of taste, and I'd agree that some might prefer one format vs another, but IMO, one of snort's weaknesses is vague and cryptic packet decode. (side comment on matters of taste: I'd love to commend the genius of ambiguity that created "iplen:" and "dgmlen:", which sound like they should be same thing, the length of the IP datagram, but are really "ip header length" and "ip datagram length". How one gets "header" from "iplen" is beyond me.) ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Thank You, Dean Price deano () price4 org ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort and packet sniffing Dean Price (Aug 18)
- Re: snort and packet sniffing Matt Kettler (Aug 18)
- Re: snort and packet sniffing Stef (Aug 18)
- Re: snort and packet sniffing James Riden (Aug 18)
- Re: snort and packet sniffing Matt Kettler (Aug 19)
- Re: snort and packet sniffing Dean Price (Aug 19)
- Re: snort and packet sniffing Matt Kettler (Aug 19)
- Re: snort and packet sniffing Martin Roesch (Aug 19)
- Re: snort and packet sniffing Matt Kettler (Aug 20)
- Re: snort and packet sniffing Stef (Aug 18)
- Re: snort and packet sniffing Matt Kettler (Aug 18)
- <Possible follow-ups>
- Re: snort and packet sniffing Richard Bejtlich (Aug 18)
- RE: Re: snort and packet sniffing Eric Hines (Aug 18)